Binary Exploitation [pwnable.kr] - (Level 6) random
|Description||Daddy, teach me how to use random value in programming!|
The challenge binary is on ssh firstname.lastname@example.org -p2222 (pw:guest)
As you would have guessed this challenge is about exploiting the random value generation. Let look at the file random.c which you will find on the server once you log-in.
The program is very simple it accepts integer input and xor it with the random value generated by rand() function and compares it with 0xdeadbeef and if the value matched you have to flag printed.
In the above program key ^ random = 0xdeadbeef condition can be revered and the equation is equivalent to random ^ 0xdeadbeef = key, so to solve this challenge we have to figure a way to predict the random value generated by rand() function, then we can reverse the operation by XORing the rand value with 0xdeadbeef get the input we need to get the flag.
Random Number Generator
Every time you call the rand() function it returns a random number. This function is usually used to generate a sequence of random number. But this often gets inconvenient if you want to reproduce the same sequence, for that we set the seed-value before calling rand() function. So essentially you can reset the random sequence generator by setting the seed-value and called the rand function again it will reproduce the same sequence. You can set the seed value using srand() function.
Let look at rand() function docs, it states that if we don’t set the seed value with srand() function the default seed value to 1. Aahaa… there you go, so we can reproduce the random value. Write a sample program that prints random value on server and that will be the number you have to xor with 0xdeadbeef to get the input.
Here is the sample program you need to execute on the server that simply prints the random value.
But there is a catch you cannot write anything on the home, but you can go to tmp directory and create a folder there and paste the above code in a new file and compile and run the program.
random@pwnable:/tmp$ mkdir r_t
As you can see the program above processes the same random value every time, so will you random.c program.
Now you can xor this value with 0xdeadbeef to get the result, the command is a follows
python -c 'print(1804289383^0xdeadbeef)' return value 3039230856 in my case. Once you give the integer to the program it will print the flag.
random@pwnable:/tmp/r_t$ cd ~
In this challenge, we learn how to exploit the weakness in random value generator, although it may look silly but if this kind of weakness can compromise the entire cryptographic process, which is a very serious problem. Nonetheless a crafty little challenge for a beginner.